RightNow CX May Secure Implementation Guide...without notice by RightNow, in its absolute...

RightNow CX® May’2011

Secure Implementation Guide

April 28, 2011

2

Documentation. This documentation is © 1998–2010 RightNow Technologies, Inc. This documentation, as well as the software described in it, is furnished under license and may be used or copied only in accordance with the terms of such license. The content of this manual is furnished for informational use only and is subject to change without notice by RightNow, in its absolute discretion, and should not be construed as a commitment by RightNow Technologies. RightNow Technologies assumes no responsibility or liability for any errors or inaccuracies that may appear in the Documentation. Usage Restrictions. Except as permitted by such license, users of this documentation may not reverse engineer, decompile, disassemble, or attempt to discover or modify in any way the underlying source code of the products described therein or any part thereof. In addition, users of this documentation may not use the content for purposes which are competitive to RightNow Technologies, including but not limited to: modifying, translating, localizing, adapting, renting, leasing, loaning, creating, or preparing derivative works, or creating a patent based on this documentation or any part thereof. Users of this documentation may make a limited number of copies of this documentation solely for their internal use as needed to use the RightNow Technologies products described therein. Each permitted copy of this documentation made by users of this documentation must contain all titles, trademarks, copyrights and restricted rights notices as in the original. Software Code. Except as provided hereafter1, the software code is © 1997–2009 RightNow Technologies, Inc. The software may be covered by one or more of the following patents issued by the United States Patent and Trademark Office: patent numbers 6,665,655; 6,434,550; 6,842,748; 6,850,949; 6,985,893; 6,141,658; 6,182,059; 6,278,996; 6,411,947; 6,438,547; and D454,139, or by the following patent issued by the United Kingdom Patent Office: patent number GB239791. Other patents are also pending. Trademarks. The following are trademarks of RightNow Technologies, Inc.: RightNow; Multiview Technology; ProServices; RightFit; RightNow Live; RightNow CX, RightNow Community, Locator; SmartConversion; SmartSense; RightNow Outbound; RightNow Service; RightNow Metrics; RightNow Marketing; RightNow Sales; RightNow Voice; RightPractices; RightStart; SmartAssistant; SmartAttribute Technology; Talk RightNow; Proactive; Proactive Customer Service; TopLine; Top Line Customer Service; iKnow; Salesnet, and RightNow Connect. All other trademarks are the property of their respective owners. Web address: http://rightnow.com Email address: [email protected]

mailto:[email protected]

3

Table of Contents Overview ................................................................................................................ 5 Definitions............................................................................................................... 5 Network and Hosting Infrastructure .......................................................................... 5 Security Policies ....................................................................................................... 6 Site Protection ......................................................................................................... 7

Administrative Site Protection ................................................................................ 7 Certificates .............................................................................................................. 8 Session Security .................................................................................................... 10

Administrative Session Management .................................................................... 10 End User Session Management ............................................................................ 10

Password Protection............................................................................................... 11 Forgotten Passwords .............................................................................................. 13 Emailing Links ....................................................................................................... 13 Email .................................................................................................................... 13 File Attachments .................................................................................................... 15 Pass-through Authentication (PTA) .......................................................................... 16 Chat ..................................................................................................................... 16

External Queues................................................................................................. 17 Chat API ............................................................................................................ 17 Server Protection ............................................................................................... 17 User Protection .................................................................................................. 17

Abuse Detection .................................................................................................... 17 Integrations .......................................................................................................... 18

RightNow Community ......................................................................................... 18 Facebook........................................................................................................... 18 Twitter .............................................................................................................. 18 Open Login ........................................................................................................ 18

Securing the Administrative Interface ...................................................................... 19 Navigation Sets ............................................................................................... 19

Workspaces .................................................................................................... 19

Permissions .................................................................................................... 19

Security-related Configuration Verbs ....................................................................... 21 Appendix A: Recommended Settings Alphabetically .................................................. 30 Appendix B: Recommended Settings by Criticality ..................................................... 32 Appendix C: Recommended Settings By Type........................................................... 34 Appendix D: Security Level Settings ........................................................................ 36 Appendix E: Recently Added ................................................................................... 38

Feb’2011 Additions ............................................................................................. 38 May’2011 Additions ............................................................................................ 38

5

Overview RightNow Technologies builds and hosts its software products to meet industry standard security requirements, and the protection of our customer’s assets is our highest priority. In addition to using industry standard software development and hosting methods, RightNow CX© can be hosted within our PCI certified environment for additional protection. Our goal is to make your Software-as-a-Service experience completely secure. Security is a changing landscape, with new attack methods developing continuously, many based on social engineering, taking advantage of a user’s trust. So an important constituent in product security is your diligence in configuring RightNow CX© and your vigilance in its use. This document discusses a number of important security issues and provides specific information about configuration settings that impact product security. In addition to being PCI-certified and maintaining a PCI-compliant pod, RightNow Technologies holds a certification for SAS 70 Type II for its internal controls, and is compliant with HIPPA CFR 45 parts 160 and 162. RightNow Technologies uses “defense in depth”, with multiple levels of security crafted to protect everything in the hosted environment from the network infrastructure to the software. In this document, a number of topics are explored in depth and the configuration of RightNow CX© is explored as it relates to the security of customer assets.

Definitions Attacker – any person attempting to subvert the security measures of a site or system. Attack Surface – the set of all possible ways an attacker can subvert the security

measures of a site or system. Exploit – a method for successfully attacking a particular vulnerability. Risk – the potential cost of an exploit. Risk is typically reported on a relative scale

rather than in monetary terms. Threat – a type of attack method within a taxonomy of attack methods. Vulnerability – a defect in a software or hardware system that could be exploited.

Network and Hosting Infrastructure RightNow CX© sites are hosted in security hardened pods where each is protected by redundant firewalls and a Demiltarized Zone architecture. All major services are separately hosted and load-balanced. The pods are audited internally and externally on a daily basis, and every quarterly software release is subjected to a third-party audit. In addition, a dedicated security staff monitors all systems for events that could jeopardize system reliability or data integrity.

6

Security Policies When configuring RightNow CX©, your goal is to obtain the maximum effectiveness for your employees and customers, while also ensuring that your site is safe from threats. RightNow software is designed and implemented to have the highest levels of security, but our customer base has different needs and configuration options are provided to allow customers to accept different levels of risk. Your sensitivity to those risks should dictate the configuration and management policies you use. The threats to using a web-facing software product to collect and store data are:

The leakage of data to unauthorized people. An attacker tampering with data in order to subvert security measures. Vandalism of the host site. Attacks against site users.

In developing a security plan for using the product you should consider:

The type of data that will be collected and stored. For example, is personal information such as names, addresses, telephone numbers and email addresses collected?” Are medical or financial information collected and stored?” Are there security standards or certifications, such as HIPPA or PCI, mandated for your data?

The methods used to obtain the data. For example, does information come over the public Internet or from a private intranet? Does information come from a voice-based system?

Access method for the data. For example, do viewers have to provide credentials such as a user id and password or is data openly available?

What are the risks to the organization if data is released to unauthorized people? Is the potential cost small, or would it have a significant impact? Are there legal ramifications to data leakage?

Asking such questions should help you determine the content of the security plan, which should cover the following issues:

Users – define the various groups of users? Authentication – what authentication methods are available and which should be

used for each type of user.

Authorization – for each type of data, which types of users should have access and how should the authorization be accomplished?

Communication – what communication methods will be used and what efforts should be made to protect communications from being compromised?

You should never assume that your security system is foolproof. New attacks are designed daily and you should expect that any weakness will eventually be exploited. Continuing vigilance and process improvement are required to minimize risk. The following is a minimal set of issues that relate to the use of RightNow Technologies software. If you want more information about establishing an enterprise security plan, you are referred to:

Writing Information Security Policies by Scott Barman

Information Security Policies and Procedures by Thomas Peltier

7

http://www.sans.org/resources/policies/

Site Protection One of the most important things you can do to protect your site is to limit access to as great an extent as possible. By restricting the site, or to certain facilities on the site, you reduce the opportunities for those with malicious intent to gain access to your assets. For RightNow CX©, there is a division between the Administrative and the End User facilities on the site, and they can be protected independently.

Administrative Site Protection SEC_CONFIG_PASSWD is the password required to access the Configuration Editor. It is imperative that it be set to a secure password value and not left blank or given a trivially easy value. The SEC_VALID_ADMIN_HOSTS configuration verb allows a system administrator to restrict access to the Administrative Interface to a limited set of IP addresses. Only the IP addresses listed, and they can be network groups, will be allowed to access the administrative interface. If the set of IP addresses changes often, the administrative effort will be increased. A similar configuration is SEC_VALID_INTEG_HOSTS which specifies the host IP addresses that are allowed to access the integration interface. This should be set carefully to allow only the necessary hosts as the integration interface provides access to much of the product functionality. To reduce to opportunity for an agent session to be misappropriated, it is recommended that the CLIENT_SESSION_EXP configuration verb be set to a reasonable value. When set to a non-zero value, it specifies the number of minutes the client can be idle (no user input) before the session is closed, which precludes the session being used by someone other than the agent. A value of 15-30 minutes is considered safe. LOGIN_SECURITY_MSG is a configuration that allows an administrator to set a message that will be displayed in a dialog on every administrative login. The purpose is to warn anyone accessing the site of the restrictions for using the site and allow them to void the login process . There are legal ramifications for this message so it should be designed carefully. The default is blank, which indicates that no message is to be given.

End User Site Protection The end user interface can also be protected by setting configuration verbs to control access and functionality. A site should be configured to limit access as much as possible within the scope of the services you want to extend to your users.

http://www.sans.org/resources/policies/

8

SEC_VALID_ENDUSER_HOSTS and SEC_INVALID_ENDUSER_HOSTS are lists of host IP addresses that are allowed or not allowed access to the end user interface, respectively. Any user coming from a host in the valid list is allowed access and any user coming from a host in the invalid list will be denied access. The valid list is practical only where the set of end users is confined to a relatively small number of domains, such an intranet. The invalid list is available primarily to prevent web spidering from known locations. SEC_END_USER_HTTPS will allow access using the SSL protocol only, which provides the maximum level of protection for communications between the user and the RightNow CX© service. This setting should be set only by RightNow Technologies Hosting Services, and it should include setting HTTPS_REDIRECT. Contact RightNow Customer Care for assistance.

Certificates Public key or digital certificates are the cornerstone of client-server communication security and understanding their use is important in securing a system. The Public Key Infrastructure (PKI) defines a number of uses for digital certificates, but usually they are used to prove identity. If the identity of system is known to be valid in the world of digital communications that means you should be able to trust that the entity to behave in certain ways. It is all a matter of trust. Every entity with an identity in a secure PKI exchange has a public key and a private key; the public key can be used to encrypt data, but not decrypt it; private keys provide the reverse functionality. Keys can be generated by anyone with a desire to use the infrastructure. When you need a certificate, you ask a Certificate Authority (CA) to issue one to you (and pay). By definition, a CA should be trusted, although there is no specific definition of that term. If you trust a particular CA, then you will trust their recommendation that a certificate they have issued is valid. If you receive a certificate from a site that was issued by Sam’s Tattoo and Internet Security Emporium, you have the choice to reject that certificate regardless of what Sam has to say about it. In a typical scenario, a system administrator creates a public and private key using software that produces a string of information about the system and probably a pass phrase, and then hashes it (encrypts it irreversibly with a strong digital digest algorithm, like SHA). The public key and information about the system are sent to a CA, which puts that information in the certificate with a timestamp, a serial number and some other data, adds its own domain name and public key and then signs it. The signature is the hash of the content of the certificate. Figure 1 is a simple diagram of the arrangement. Safety Bank wants to be able to provide secure communication between its webserver and browsers. So it asks a reputable Certificate Authority to issue a certificate in the name of Safety Bank. It stores the certificate and when a browser requests secure communications, it responds with the certificate. The browser looks in the certificate to get: 1) the domain name of the sender, 2) the public key of the sender, 3) the CA name, domain and some other things. The browser goes through a complex process of verifying that the certificate is

9

not forged, not expired, not revoked or otherwise invalid. If the certificate is valid, the browser can begin communicating securely by using the public key of Safety Bank to encrypt data. The certificate is stored on the system and can be again used when secure communications with Safety Bank are needed. One important part of this is that the browser must know the CA, in the sense that the browser has to have previously stored information, including the CA’s public key, which is used to perform the validation. If your browser does not recognize the CA, it may simply abort the operation, but it could also ask you if you want to install the new CA. Pertinent information is downloaded from the CA and stored. Since the CA can then validate certificates from other sites, this is something you should do only if you are absolutely certain that the CA is reputable. Most browsers come populated with a large number of well-known CA’s. You may also find sites that issue self-certified certificates to reduce costs. Be cautious.

Figure 1 The Certification Process

Now that the server is trusted, the client sends back something called the pre-master secret, encrypted with the server’s public key. The server creates a pair of symmetric keys for encrypting and decrypting data and sends that back to the browser. Now both ends are ready to exchange data. One final complication is that the server could also require authentication, which means the client has to send its own certificate and the process is repeated on the server.

Safety Bank Certificate Authority

Your Browser

1. Request a Certificate

2. Certificate issued

3. Request secure connection

4. Get certificate

5. Validate certificate

6. Possibly add CA

10

Normally, RightNow CX© does not require any configuration for certificates, and it uses industry known and reliable root CA’s. You generally should not be asked to add a CA when communicating with a RightNow site.

Session Security In order to maintain state information about users, web applications use session data that is passed between the user’s system and the web server. If the user is logged in, that session data can provide the necessary authentication for accessing assets that would not normally be available. The importance of session security is to prevent attacks that use the trust the system has in the authenticated user if an attacker is able to capture session information and reuse it. These are commonly referred to as “Replay Attacks” or “Man-in-the-Middle Attacks”. In order to prevent such attacks, session data should be encrypted, it should be difficult to use from a different computer system, and it should be valid for a limited period of time. RightNow CX© uses different session management schemes for the end user and administrative interfaces. Both encrypt session data stored in cookies, limit the time that session data is valid and set the Secure Flag on cookies to prevent misuse.

Administrative Session Management Sessions for administrative users are controlled by both a cookie and a session id. The session id is a randomly generated token and provides a second level of authentication for users that have logged in. Access to the administrative interface requires that the user provides a login name and password. The maximum idle time before an administrative user is logged out is set in minutes via CLIENT_SESSION_EXP. If this value is 0, there is no idle timeout, so this value should be used only where there is little opportunity for a session to be hijacked or the risk of an exploit is acceptable

End User Session Management Depending on needs, user sessions can require authentication with a login name and password, or not, creating a class of anonymous users. Functionality may be reduced for anonymous users and the state information for users is maintained with cookies. They are a relatively safe means of maintaining state information about a user between actions. Every user, authenticated or not, has a cookie named cp_session that maintains session data, unless the configuration CP_COOKIES_ENABLE is disabled. In that case, session data will be passed in the URL. In order to log in to RightNow CX© Customer Portal, users must have cookies enabled in their browser and they will receive a cookie named cp_profile when they log in. All data in cookies set by RightNow CX© is encrypted. The cp_profile cookie has a lifetime controlled by the MYSEC_LOGIN_COOKIE_EXP configuration, which sets the period of inactivity that is allowed before the cookie expires. The largest risk is that shared computers might allow someone to use privileges that belong to another

11

user, so the value should reflect the sensitivity of the personal information stored on your site. There is a configurable idle timeout via CP_LOGIN_COOKIE_EXP, which sets the amount of time that the user can be idle with respect to the web service before being logged out. The value should be set to reflect the potential risk of having a session hijacked by someone with access to a console. CP_LOGIN_MAX_TIME can be set to limit an end user session to an upper bound; if a session exceeds this time, the user will be logged off. 0 disables this feature, which, if set, should always be greater than or equal to CP_LOGIN_COOKIE_EXP. CP_MAX_LOGINS limits the maximum number of users allowed on a site. CP_MAX_LOGINS_PER_CONTACT limits the maximum number of concurrent logins allowed for any contact (end user). A zero value for each disables the control, and neither are enabled if CP_LOGIN_MAX_TIME is set to zero. CP_MAX_INVALID_LOGINS limits the maximum number of failed logins before an account is disabled for one hour. A value of zero indicates that there is no enforced limit.

Password Protection Passwords are always required for the administrative interface and the required format rules can be set via the Common Configuration > Staff Management > Passwords configuration section. The parameters are:

Number of failures allowed before the account is locked. Minimum password length. Number of allowed repetitions. Minimum allowable number of lowercase characters. Minimum allowable number of uppercase characters. Minimum allowable number of special characters (digits and symbols like :, $, *,

etc.).

Number of previous passwords saved to prevent reuse. Password expiration time in days. Grace period after expiration before account is locked. Warning period during which the user will be warned at each login. Although not stated, the maximum password length is 20 characters.

If the data protected by a password is not critical or subject to privacy legislation, the default values may be acceptable. The largest dangers to passwords are the ability to guess a password by brute force means, or the release of a password due to nefarious activities (phishing for example) or inadvertent release (such as writing it down). So it is important that your choices lead the users to choose strong passwords and to protect them.

12

The use of end user passwords is controlled by the EU_CUST_PASSWD_ENABLED configuration verb, which determines whether the password field will be shown for end users that create accounts. If disabled, no end user passwords will be allowed, so there is far less security for the site. The minimum length of the end user password is controlled by MYSEC_MIN_PASSWD_LEN. If accounts are locked after a number of consecutive login failures, it makes it more difficult for an attacker to brute force password guessing, but it is not impossible. If a user is able to obtain an encrypted password, they can guess as to the algorithm used to encrypt it and simply try different strings looking for a match. This is time consuming, but with current computing technology, it might be possible to guess up to 6 million passwords per second (and this number increases by 10 percent per year). While it is helpful to use case changes and special characters to enlarge the character set, the key to strong passwords is to use longer lengths. If 76 characters are used randomly, it would take no more than 12 hours to guess a six character password. The time increases to 7 years for 8 character passwords and 230 million years for a 12 character password. Of course, password cracking typically takes advantage of the tendency for people to use common words in passwords so dictionary attacks can break passwords much more quickly. The lesson is that for maximum security, long passwords are necessary. For example, if a 12-character length password is composed of three words from a 100,000 word dictionary, it could take more than 7 years to guess by brute force methods. With even a small amount of randomness built in, the problem rapidly increases to the 230 million year value. So encourage users to choose long (no less than 10 characters), but easy to remember and type passwords. Compositions of common words, song lyrics, poems and so on, and have them misspell some words slightly, and their passwords will be secure, if they don’t write them down or reveal them. It is always good to add special characters and digits, and to mix cases, but the important feature is sufficient length to prevent brute force attacks. And, of course, avoid using words or phrases that can be identified with a person, such as their name, address, telephone number, job title, type of car and so on. Some good passwords are, 2BeOrNot2Bee?, MaryhadaL1ttle|am, o|dr0amin4Um or JollyBARN+be4Cow. The choice of other password handling parameters depends on the situation. If your users don’t login often, expiring passwords will result in many accounts being locked because the users don’t get the warning. This will result in increased administration unless the warning time and grace time are very long. Locking accounts can prevent direct brute force attacks and some denial-of-service attacks, but it can also increase administrative overhead. If you require users to change their passwords regularly, you need to save some history information to prevent reuse; at least five past passwords. You will find that most users will make a minor change in their password and eventually cycle back to the original, so it is difficult to assess the value of this strategy. If you are concerned that passwords could be compromised by poor user handling of passwords or by some form of attack, it is wise to require regular changes. However, mandating frequent password changes in an environment where they are strong and not shared

13

does not enhance security and may actually hamper security by causing people to store passwords in electronic or written media.

Forgotten Passwords When you have credentials, they can be forgotten. For administrative users, there are no routes to recover forgotten credentials other than to contact the system administrator. End users can recover both their login name and password. If the login name is forgotten, the user must enter an email address that matches an email address stored in the contact database. An email containing the user’s login name will be sent to that address. If the password is forgotten, the end user must enter the correct user name, and then a link to the password rest page is emailed to the user. The user’s password is changed to a reset state when the link is sent, so they will not be able to login unless they complete the process. This must be done within the time frame contained in the configuration setting SEC_EU_MAIL_LINK_EXPIRE. The default value is 24 hours, and it should not be set to a very long time due to the indiscrete nature of email traffic.

Emailing Links RightNow CX© allows the emailing of links to answers via both the end user and administrative interface. In either case, the access to the answers is limited by normal user access rights. If a login is required to access the answer, the user will have to have credentials and will be required to provide them. If the answer is private, the user will be required to belong to appropriate group. The privileges of the sender do not confer to the receiver, so the security of the data system is maintained.

Email The Service module allows the configuration of service mailboxes for managing email through a facility named techmail, and email security is very important. Most email is sent over the network in a non-encrypted form, and is therefore to be avoided for any sensitive data. RightNow CX© is designed to prevent the inadvertent release of information, but there are also a number of security settings that are available to enhance protections. The Service Mailboxes security settings are configured through Configuration > Site Configuration > Mailboxes. On this page there is a button labeled Security that has settings for configuring communication security and for email authentication. There are two security settings, Security SSL and S/MIME that are concerned with the use of Secure Socket Layer methods (SSL):

Security SSL SSL Method

There are three choices:

14

Disabled chooses to use the standard POP email port (110) with no encryption.

Using POP3 SSL Port sets up mail to use SSL and port 995. Using STLS Command sets up mail to use port 110 but it issues a

request to switch to SSL after connecting. This is the more modern method that allows clients to not have to try two ports.

If email data contains sensitive information, use one of the two SSL settings. There are three settings for the two SSL options, each easing the restrictions on the server SSL certificate requirements. They can be used to avoid annoying mail failures, but each reduces the security of the site.

Accept untrusted SSL certificates

If not set, exchanges with email servers that do not have certificates from trusted authorities will be allowed. The risk is that you could exchange data with a server that is spoofing its identity.

Accept expired or not yet valid SSL certificates If not set, exchanges with email servers that have SSL credentials that are not currently valid are allowed. This can avoid problems with expired credentials causing workflow disruptions, but there is some risk that an attacker could spoof credentials.

Accept SSL certificates with incorrect host name If not set, exchanges with email servers that have a mismatch between the server name and the certificate name are allowed. This could happen legitimately is the mail server has been moved, but it could also indicate that the server is being spoofed.

S/MIME

These settings provide the certificate and private key file values if some form of SSL is used. Mailbox personal certificate and key

Using the browser, you can select the file containing the public certificate and private key assigned to the mailbox by the certification authority. This must be done if SSL is used. If you are unsure about this step see the Mail Configuration section of the RightNow CX© Documentation.

Techmail will import and store certificates from mail servers for future use. These three settings control the restrictions placed on that process. Each reduces the security of the site, but widens the mail that will be allowed. Import untrusted personal certificates

If not set, the personal certificate can only come from an S/MIME message that has been signed by a trusted authority.

Import expired or not yet valid personal certificates

15

If not set, the personal certificate can only come from an S/MIME message that has a current date that is unexpired and is currently valid.

Do not use S/MIME signature certificates If checked, unsigned emails will be allowed for incident creation and certificates will not be stored with incidents.

In order to receive signed emails, you will need intermediate certificates. These can be automatically extracted from email, or you may need to upload certificates. Refer to the Email Configuration section of the RightNow CX© Documentation for information on using the File Manager to perform this task.

File Attachments RightNow CX© allows for attachments to incidents and answers. Attachments are a security concern because they could contain malicious code (malware), or data that is part of an attack on the site. All incoming attachments are scanned for malware, but you should always consider the possibility that something could evade detection. Uploaded files containing HTML are a particular problem because they can provide links to sites that can harvest private data from unsuspecting people. This process is commonly called Cross Site Scripting. No agent or administrative user should follow a link unless it is known to be safe, and no data should ever be entered at a linked site. If it is necessary to go to a referenced site, obtain the correct address and type it into the browser. An HTML file should never be posted for user access or emailed to users unless it is known to be safe to avoid creating a threat for users. The other problem with HTML files is that they may contain JavaScript or ActiveX controls. These are executable code that can potentially have a significant impact on your system. If browser security works properly, this should not happen, but browsers are one of the least secure types of software. You can disable some of this functionality, but you may need it for many complex sites or applications (including RightNow CX©). So be careful when working with data from untrusted sources and educate users about the risks associated with improper handling of uploaded files. An additional precaution is to require that viewing of attachments be prevented so that they must be downloaded to be viewed. This protects the RightNow CX© application and the associated data, and allows additional levels of scanning to be applied. The configuration FATTACH_OPEN_ENABLED enables the viewing of attachments, so disabling it prevents any attachment being viewed in an administrative interface. It does not change the display of attachments for end users, so attachments from external sources should be verified safe before they are placed in answers. It would be possible for a malicious user to create incidents with very large attachments to perform an attack against a site. To prevent this, the configuration FATTACH_MAX_SIZE controls the maximum allowable attachment. The default is approximately 20 megabytes per attachment.

16

Pass-through Authentication (PTA) Pass-through authentication (PTA) is a login integration capability in the RightNow CX© product that allows end user authentication to be performed on a different server, typically a single-sign-on customer server. When access is attempted to a RightNow CX© that has enabled Pass-through Authentication, the user is redirected to The authentication server passes a string to the RightNow product providing the user credentials and a password that controls the pass-through functionality. To learn more, consult the RightNow CX© Integration Manual. There are some obvious security issues in this arrangement. Note that the PTA integration has changed significantly with the Nov’2010 release in order to make it more secure. PTA is enabled via the PTA_ENABLED configuration, which defaults to disabled. If enabled, there are two major categories of configuration that must be handled: one is the setting of various URL locations, which are not discussed here, and the other is the establishment of the encryption method to be used to exchange authentication information between the login server and the RightNow CX© server. The CX server and the login server must agree on the encryption methods that will be used in order to successfully the authentication process. PTA_ENCRYPTION_METHOD specifies which of the four possible encryption methods is to be used. The default is to use base-64 encoding, which is not secure and should not be used on a public facing site. PTA_ENCRYPTION_KEYGEN specifies the method to be used to create the encryption key from the password. The PKCS5 methods are universal methods (1 and 2) and no key generation (0). The no key generation option is insecure and 2, the default value, is superior to 1. PTA_ENCRYPTION_PADDING sets the padding method to be used. PTA_SECRET is the secret key or password used to perform the encryption. If this value is set, but PTA_ENABLED is off, then the secret key is passed as P_LI_PASSWORD, which is compatible with previous versions of PTA. Normally, a system that uses PTA will not allow direct logins to the site. If PTA_IGNORE_CONTACT_PASSWORD is set, then direct logins are allowed. In order to login directly, a user must create an account through the site, and users will not have to provide a password in order to login through the PTA server. There are obvious disadvantages to this from a security standpoint unless access to the PTA service is restricted to a small group, such as by IP address.

Chat The RightNow Chat© product allows an end user to open an interactive, real-time written conversation with an agent. There are a number of configuration choices that will protect the sanctity of that exchange of information and the underlying services.

17

External Queues Chat external queues allow pages outside of the RightNow CX© pages to direct users to Chat services. In order to prevent potential misuse, CHAT_UQ_EXTERNAL_QUEUES should be set to the list of legal chat queues for external access.

Chat API The server supports a Chat API which must be enabled by RightNow Hosting. When enabled, the API is protected by setting CHAT_WS_API_IP_HOSTS to the IP addresses and subnet masks of hosts that are allowed to make requests to the Chat API. If not set, all hosts are allowed. CHAT_WS_API_KEY is a shared secret that must be matched by a key sent in every request to the API. The default is blank, but that value allows all requests and is not required.

Server Protection The RightNow CX© server can be protected from potential threats by restricting access to valid Chat servers. SEC_VALID_CHAT_API_HOSTS is a list of IP addresses and subnet masks that specify the legal Chat servers that are allowed to access the public API. If blank, all hosts are allowed. SRV_CHAT_INTERNAL_NET specifies the IP addresses and subnet masks of the valid Chat servers. The default is 0.0.0.0/255.255.255.255 or all hosts.

User Protection INC_PRIVATE_TRANSCRIPT_ONLY changes the privacy of the information in a Chat exchange. Instead of being added to an incident as public information, it is added as a private note, which restricts access to the data. If users might enter sensitive information during a Chat, this should be enabled. It is also possible to configure the Chat product to allow off-the-record chats, in which the data exchanged is not recorded and can be seen only in real-time by the agent. See the RightNow CX© documentation for the necessary customizations to Customer Portal.

Abuse Detection A potential threat to any web site is a Denial of Service Attack, where the attacker issues a large number of requests for service. These requests can slow the response time to legitimate users, but the attack can also overwhelm the database server, generate copious emails or otherwise interfere with normal operation. In order to prevent these attacks, all RightNow CX© sites are protected by The RightNow CX Abuse Detection System. This system monitors traffic and if anomalous and potential threatening characteristics are detected, the system will begin to require CAPTCHA’s on many requests. CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) can have different forms, but those used by RightNow CX© are two

18

words displayed in a distorted form. In order to complete the request, the user must enter the words correctly. There is also a visually-impaired version of the CAPTCHA. The CAPTCHA’s will normally occur only if there appears to be current active abuse of the system. However, you can require them if so desired, and that process is described in the Customer Portal section of the RightNow CX© Documentation.

Integrations

RightNow Community RightNow CX© is a flexible solution and includes several API’s that allow the product functionality to be accessed from custom code. It is important to recognize that accessing the product through any API moves a significant part of the responsibility for security to the external code. There are a few configuration verbs that will aid in maintaining security. There are also opportunities to access external data and code from within the product, such as the Community and Cloud Monitoring integration facilities. These facilities may not have the same level of security as RightNow CX© or the exchange of data may not be completely secure. Configuring your system in high security environments requires special care when employing this functionality. COMMUNITY_PRIVATE_KEY is the private key to be used to encrypt data between RightNow CX© and the RightNow Community©.

COMMUNITY_PUBLIC_KEY is the public key to be used to encrypt data between RightNow CX© and the RightNow Community©.

Facebook The RightNow CX© Facebook integration makes it possible to create a Facebook application that provides access between the end user incident system in a RightNow CX© and the Facebook application. If FACEBOOK_ENABLED is set, the configuration verbs, FACEBOOK_APPLICATION_ID and FACEBOOK_APPLICATION_SECRET must also be set to protect the Facebook site. These values are provided when the Facebook application is created. The default for FACEBOOK_INCIDENTS_ENABLED is enabled, and it allows incidents to be created from the Facebook application. If that is not desired, disable it.

Twitter The RightNow CX© Twitter integration is part of the Cloud Monitoring service provided. If you would prefer that all Twitter searches be done securely over an SSL channel, contact your RightNow Support Team.

Open Login RightNow CX© supports two open login standards, OAuth, and OpenID. This allows easy integration of sites supporting those standards with Customer Portal. For Facebook and Twitter, the user must be registered with the corresponding site

19

and an application created for the OAuth request. See the RightNow CX© for information. When the Facebook application is created, it provides two values; FACEBOOK_APPLICATION_ID and FACEBOOK_APPLICATION_SECRET. These values are entered into the configuration settings as:

FACEBOOK_OAUTH_APP_ID FACEBOOK_OAUTH_APP_SECRET

When a Twitter application is created for OAuth integration, the application identifier and the OAuth secret, which are used to set:

TWITTER_OAUTH_APP_ID TWITTER_OAUTH_APP_SECRET

Securing the Administrative Interface Properly configuring the administrative interface is critical to overall site security because administrative users can be granted the rights to view and modify virtually everything in a site, including user data and site controls. RightNow CX© uses role-based access control through a profile concept. All users belong to a Profile Group, which has specific privileges with regard to administrative functionality. The entire configuration process is too involved to be discussed in this document, but the security ramifications of certain settings are important enough to be repeated here.

Navigation Sets Each profile has a Navigation Set that specifies the components of the product and the reports that are available to users with that profile. By judicious construction of the Navigation Sets, an administrator can limit access to functionality to only those users that require it.

Workspaces Workspaces are views of the system data integrated with controls that determine what facilities are available to manipulate that data. Each profile also has one or more workspaces that can be designed to provide only the functionality that is needed by the user. Along with Navigation Sets, Workspaces provide macro-level control over access rights.

Permissions Within a profile, permissions can be assigned to control the rights of users for each of the following sections of the product:

Administration Organizations Contacts

Service Sales Marketing

20

Tasks Each has several blocks of permissions to set. Doing so carefully and thoughtfully greatly enhances the security of the system. This is particularly true with the Administration privileges, which grant users permission to modify configuration settings and administrative controls. A method for determining what settings should be used is a Role-Access Table. The following is not a complete list of all the permissions available; it is an abbreviated set representing those with direct security ramifications for three roles. The first role is an administrative user that should have access to all functionality; the second is for a user with supervisory responsibilities but not for configuring the system; the third is for a user that needs access to data, but not to any administrative controls; the fourth is a developer who needs access to development and integration interfaces. They are referred to as A, S, U and D in the table. No contrived set of roles will represent any organization exactly, so the assignments below are for the purposes of demonstrating how permissions could be set. In some instances, a role is shown in square brackets ([]) to indicate that such a setting is dependent on how the system is used.

Setting Functionality Roles

Administration

Administration Custom fields, site configuration A

Configuration Staff management, site settings A

Business Process Settings Application appearance and functionality.

A,S

Rules View Viewing business process rules. A,S,U

Rules Edit Editing business process rules. A,S

Contact Upload Upload contacts from external sources.

A,S

Broadcast Notification Send messages to other users. A,S

System Error Log Access to log files. A,S

Workspace Designer Create and modify workspaces. A,S

CP Deploy Deploy a modified Customer Portal site.

A,D

WebDav/CP Administration Access Customer Portal files. A,D

Profiles Create and modify profiles. A

Groups/Accounts/Dist. List Access staff accounts and distribution lists.

A,S

Transient Login Ability to login multiple times concurrently through RNConnect.

A,D[,S,U]

Public SOAP API Access the SOAP API. A,D[,S,U]

RightNow Connect Access the site through RNConnect. A,D[,S,U]

Scripting Create and edit scripts. A,D

Organizations Create, Modify, Delete, View A

21

Modify, View organizations S

View U

Contacts Create, Modify, Delete, View, Move contacts.

A

Create, Modify, Delete, View S

Modify, View U

Service Create, Modify, Delete, View , Propose, Respond To incidents.

A

Create, Modify, View, Propose, Respond to incidents

S

Create, Modify, Respond To incidents U

Sales Create, Modify, Delete, View, Respond Leads. Send quotes.

A

Create, Modify, View leads. Send quotes.

S

View Leads. Send Quotes. U

Marketing Create, View, Edit mailings; Create, View, Edit Campaigns; configure.

A

Create, View, Edit mailings; Create, View campaigns.

View mailings; view campaigns. U

Tasks Create, Modify, Delete, View tasks. A

Modify, View tasks S

View tasks U

Security-related Configuration Verbs As described in the preceding sections, there are many configuration verbs in RightNow CX© that affect the security of a site. You must make a conscious decision to determine the appropriate desired security level and establish settings that reflect that level. In the following, all current configuration verbs that impact security are described and suggestions for setting their value are provided. The Appendices display this information in tabular form, including suggestions for security levels broadly described as low, medium and high. The path to the configuration setting describes the location within the Configuration menu and then Site Configuration and finally, Settings navigation pane. This displays several choices which are the beginning item in the path shown and the following items are submenus to the setting. Common

General Security

SEC_CONFIG_PASSWD

22

This setting protects the Configuration Editor. If access to configuring the product is to be more restrictive than access to the administrator account it should be protected from general distribution. Because the configuration editor can be used to change the security settings of the system, this value should always be set. SEC_VALID_ADMIN_HOSTS This setting limits access to the administrative interface to only those DNS domains that are specifically listed. If access to the administrative interface is from a large set of DNS domains, it may be difficult to have this set, but it should be used if possible as it provides excellent protection from random attacks.

SEC_VALID_ENDUSER_HOSTS This setting limits access to the enduser interface to only those DNS domains that are specifically listed. This setting would normally be used only if the set of end users for the RightNow product is localized to a relatively small set of domains, such as a campus or a business.

SEC_INVALID_ENDUSER_HOSTS The IP addresses listed in this setting are prevented from accessing the end user interface. This configuration is primarily to prevent spidering of the site from particular sites.

SEC_VALID_INTEG_HOSTS

This setting limits access to the Integration Interface (XML API) to only those DNS domains that are specifically listed. The Integration interface allows considerable access to resources on the site so it is important that the value be restrictive rather than permissive.

SEC_END_USER_HTTPS

If set, the certain pages in the end user interface can only be accessed by using the Secure Socket Layer (SSL) protocol, which encrypts all communications. If your site is SSL capable it adds additional security, but it also requires that all end users have browsers that are SSL enabled. All modern browsers are SSL enabled, but it is a business as well as a security decision. If the data you collect from end users is sensitive, this setting should be enabled to reduce the risk of data leakage. The pages secured are primarily those used for submitting data. This setting must be done by RightNow Hosting and must include the enabling of HTTPS_REDIRECT. Contact RightNow Customer Care for assistance.

SEC_INVALID_USER_AGENT The list of user agent names provided here is denied access to the end user interface. This is generally used to prevent spidering by particular user agents. For example, GoogleBot or msnbot.

SEC_SPIDER_USER_AGENT

23

The list of IP addresses provided here are considered to be web spidering sites, so they are handled differently in statistic collection and they will experience different end user interface behavior. For example, InternalSpider or BurpSuite.

SEC_P3P_COMPACT_HDR

This setting describes the Platform for Privacy Preferences (P3P) used in setting and using cookies. The P3P standard provides a common language and methodology for browsers to interact with web site and insure that the user’s security requirements are met by the web server. This setting should not be changed unless customization results in a change in cookie handling and should be performed only by someone knowledgeable about P3P. The default is: “CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV”.

SEC_VALID_CHAT_API_HOSTS Specifies a comma-separated list of IP masks/subnets that enforce access restriction on any Chat related public API request coming from the client to the RNW server. Valid entries include specific IP addresses, or IP subnet masks (for example, 1.2.3.4, 10.11.12.0/255.255.255.0). The RNW server will validate the IP address of the requestor against this list and return an error if the requestor is not contained in the list. If this value is blank, the server will accept requests from all hosts. Default is blank.

Common

General Error Logging

ERR_INT_ERROR_DETAILS_ENABLED If disabled, error messages displayed by the site will be minimal, while if enabled, more detail is provided. To prevent attackers from gaining information about your site, this setting should be disabled. If enabled for the purposes of troubleshooting the site, it should be disabled immediately after.

RNWCommon Facebook

FACEBOOK_APPLICATION_ID Specifies the ID of the application created within Facebook that will be used to host this feature. Default is blank.

FACEBOOK_APPLICATION_SECRET Specifies the application secret key for the Facebook application that will be used to host this feature. Required to be able to authenticate users on the Facebook application. Default is blank.

FACEBOOK_ENABLED Controls whether the RightNow Facebook application is enabled. Default is disabled (No).

FACEBOOK_INCIDENTS_ENABLED

24

Specifies whether users should be allowed to create private incidents from within the Facebook application. The default is enabled.

File Attachments

Configuration FATTACH_OPEN_ENABLED File attachments can contain malware, programs that can run on your computer and cause damage. Viruses, trojans and worms are examples. You can reduce the risk by requiring that all uploaded file attachments be saved before they can be opened, providing an opportunity for the file to be tested to determine its safety. This does require third party malware detection software to do the testing. Disabling this flag will require that all file attachments be saved, not opened.

RNW Common

RightNow Social General

COMMUNITY_PRIVATE_KEY The private key used to encrypt exchanges for the RightNow Community search API.

COMMUNITY_PUBLIC_KEY The public key used to encrypt exchanges for the RightNow Community search API.

Service Modules

RightNow Email EGW_PASSWD_CREATE If disabled, contacts created as part of the email gateway will not have passwords. Un-passworded accounts should not be allowed under most circumstances.

EGW_SECURE_UPDATE_ENABLED

Disabling this setting allows an incident to be updated by an email from any address (rather than having to match the contact record in the database). While not a particular security threat, it does provide an opportunity for your database to be contaminated by a malicious attacker if not enabled.

External Events

Incoming Integration II_CONNECT This enables the RightNow Connect integration. It should be disabled unless this part of the product is being actively used.

My Stuff

Security CP_LOGIN_COOKIE_ENABLED

25

This setting is on by default, and enables the use of cookies in the Customer Portal interface. If off, critical authentication information is sent in the URL parameters, which is less secure than using cookies, so this setting should be enabled.

CP_LOGIN_COOKIE_EXP

This setting determines the length of time before a cookie expires for the Customer Portal interface. If this value is set to a large value, it can provide an opportunity for an attacker to hijack the cookie and use it to gain access. The recommended maximum lifetime for a cookie is 24 hours or 1440 minutes and the minimum is 10 minutes. A shorter time provides better security.

CP_LOGIN_COOKIE_REQ

This setting is deprecated in RightNow CX© version 10.2 and later. MYSEC_AUTO_CUST_CREATE This setting determines whether new accounts can be created by customers accessing the end user interface. If disabled, only users with existing accounts will be granted access, typically through the actions of an administrative user or the integration API; if enabled, anyone accessing the end user site can create an account. MYSEC_LOGIN_COOKIE_EXP This setting determines the length of time before the login cookie expires. If this value is set to a large value, it can provide an opportunity for an attacker to hijack the cookie and use it to gain access. The recommended maximum lifetime for a cookie is 24 hours or 1440 minutes and a shorter time provides better security. MYSEC_LI_ERR_ENABLED If pass-through authentication is used, this setting requires that data validation errors between the authentication server and the RightNow CX© site should result in the failure of the integration request. It is suggested that this setting be enabled to protect the site from malicious attempts to subvert the integration security. MYSEC_LI_PASSWD This setting applies only if pass-through authentication is used. This password is included in the pass-through authentication string and should be as strong as any other password. The length should be at least 12 characters to prevent brute force guessing. This password should not be blank as that provides a path for an attacker to gain access to the product without providing full credentials. MYSEC_MIN_PASSWD_LEN The minimum password length for end users should be set to a value that is reasonable for the criticality of the data collected. The minimum length should be 7-8 for sites with low criticality data. For sensitive data, the minimum length should be 10-12. Studies show that users, in spite of warnings, tend to pick

26

passwords that are easy to guess, but long passwords require very long times to crack even if they made up of common words. See the section password issues.

General

Data Entry EU_CUST_PASSWD_ENABLED When enabled, end users must login with a password. In most instances, it should be enabled.

File Attach

FATTACH_MAX_SIZE Sets the maximum size of a file attachment that can be uploaded from the end user interface. Setting this to a value that is as small as practical given the types of attachments that might be uploaded reduces the likelihood of a denial-of-service attack by filling the available disk space.

Toolbar General

LOGIN_SECURITY_MSG The value of this setting is a string that, if not blank, displays in a dialog box when a user logs in to the DotNet client. The user can choose OK, to continue the login, or Cancel to terminate the login. The message is intended to warn those logging in if there are restrictions on the use of the site.

OpenLogin

OAuth Apps FACEBOOK_OAUTH_APP_ID This setting is one of the credentials that must be transmitted to the Facebook application in order to authenticate using OAUTH. The value is provided by Facebook when the integration application is created.

FACEBOOK_OAUTH_APP_SECRET This setting is one of the credentials that must be transmitted to the Facebook application in order to authenticate using OAUTH. The value is provided by Facebook when the integration application is created.

TWITTER_OAUTH_APP_ID This setting is one of the credentials that must be transmitted to the Twitter application in order to authenticate using OAUTH. The value is provided by Twitter when the integration application is created.

TWITTER_OAUTH_APP_SECRET This setting is one of the credentials that must be transmitted to the Twitter application in order to authenticate using OAUTH. The value is provided by Twitter when the integration application is created.

PTA

27

PTA_ENABLED Enables the use of PTA login integration. When this setting is disabled, all requests to /ci/pta/* are rejected and generate an error. When enabled, users cannot modify the Username field on their account, regardless of how they log in. Default is disabled (No).

PTA_ENCRYPTION_KEYGEN

Specifies the type of keygen method to use for PTA encryption. Valid values are:

1 - RSSL_KEYGEN_PKCS5_V15 2 - RSSL_KEYGEN_PKCS5_V20 3 - RSSL_KEYGEN_NONE

Default is 2

PTA_ENCRYPTION_METHOD Specifies the encryption scheme PTA logins should use. If this setting is blank, the PTA string is base64-encoded only. Valid values are:

des3 - Three key triple DES EDE in CBC mode aes128 - 128 bit AES in CBC mode aes192 - 192 bit AES in CBC mode aes256 - 256 bit AES in CBC mode

Default is blank.

PTA_ENCRYPTION_PADDING Specifies the type of padding method to use for PTA encryption. Valid values are:

1 - RSSL_PAD_PKCS7 2 - RSSL_PAD_NONE 3 - RSSL_PAD_ZERO 4 - RSSL_PAD_ISO10126 5 - RSSL_PAD_ANSIX923

Default is 5.

PTA_IGNORE_CONTACT_PASSWORD Specifies whether contact passwords are honored during PTA logins. If enabled, contact passwords are ignored and users can log in through PTA with just a username. However, they cannot log directly in to the customer portal until they complete the account creation process. When this setting is enabled, PTA_ENCRYPTION_METHOD must contain a value or the login attempt will fail. Default is disabled (No).

PTA_SECRET Specifies the secret key used to validate login integration parameters when encryption is disabled or to decode the PTA string when encryption is enabled. If encryption is disabled, this value should be passed as a p_li_passwd parameter encoded within the PTA login string. If encryption is enabled, this value should not be contained within the PTA string and should be used only to encrypt the value sent. Requests that send an invalid value will be rejected. Default is blank.

28

Security SUBMIT_TOKEN_EXP Certain exchanges between parts of the end user interface are protected by a token to insure that an attacker cannot capture user entered data. For example, entering data for a new user account is the first part and processing it is the second part. A critical part of the exchange is the time period for which the token is active, and that value is set by this configuration verb. Making it too long can make the product vulnerable to Cross Site Request Forgery and Denial of Service attacks, and making it too short can cause user exchanges to fail as the token times out. The default is 30 minutes and since these exchanges should normally take no more than a few minutes, it should be adequate.

CLIENT_SESSION_EXP

Establishes an idle timeout for users of the DotNet Client. If no user input is given before the expiration of this time, the client will be disconnected and a new login will be required. The default value is not expiration time (zero), but good security practice suggests that a value of 15-30 minutes is appropriate.

Syndicated Widgets

WIDGET_INSTALLATION_HOSTS Provides a list of external hosts that are allowed to download widgets to a site. A blank value allows any host to be used, which is dangerous since the widgets can contain malicious code.

RN Marketing

General Campaigns There are five settings in this category that determine the default strategies for authenticating users in marketing campaigns.

WEBFORM_ID_BY_LOGIN_DEFAULT – If set, the Identify User By option will be enabled in the Campaign Editor.

WEBFORM_ID_BY_LOGIN_REQUIRED_DEFAULT – Provides the same functionality as WEBFORM_ID_LOGIN_DEFAULT, but also forces the display of the login/password screen for all users.

WEBFORM_ID_BY_COOKIE_DEFAULT – If set, the Set Browser Cookie on Submit option will be enabled in the Campaign Editor.

WEBFORM_ID_BY_URL_PARAM_DEFAULT - If set, the Identify User By option will be enabled in the Campaign Editor.

WEBFORM_SET_COOKIE_DEFAULT - If set, the Set Browser Cookie on Submit option will be enabled in the Campaign Editor.

By setting these values, it provides master control over the security of the campaign pages by setting functionality by default rather than allowing it to be done manually by the designer. If possible, it is preferred that this method be used to prevent an inadvertent reduction in the desired security. Using a login/password combination is the highest level of security, but it may be impractical.

29

Chat General

Create Incident INC_PRIVATE_TRANSCRIPT_ONLY Specifies whether chat transcripts will be added to incidents as a private note. Consumers will not be able to see past chats. Default is disabled (No).

Server

CHAT_UQ_EXTERNAL_QUEUES Specifies the chat queues that are externally routed as a comma-delimited list of queue identifiers. Default is blank.

CHAT_WS_API_IP_HOSTS Specifies the IP address(es) of the RightNow Web server(s). Valid entries include a comma-separated list of domain names with wildcards, specific IP addresses, or IP subnet masks (for example, *.rightnow.com,1.2.3.4, 10.11.12.0/255.255.255.0). Specific IP addresses or IP subnet masks are recommended for efficiency. This setting will be used to validate SOAP requests from the RightNow Web servers to the Chat servers.

CHAT_WS_API_KEY If specified, this value will need to be included in any Chat-related public API request. The provided value must match this string or the request will be denied. Blank implies that no key is being used, and is not recommended. Default is blank.

SRV_CHAT_INTERNAL_NET Specifies the IP address of the RightNow Chat server. Valid entries include a comma-separated list of domain names with wildcards, specific IP addresses, or IP subnet masks (for example, *.rightnow.com,1.2.3.4, 10.11.12.0/255.255.255.0). Specific IP addresses or IP subnet masks are recommended for efficiency. This setting will be used to validate SOAP requests from the Chat Service.

30

Appendix A: Recommended Settings Alphabetically Configuration Verb Criticality Recommended Setting Campaigns Med Depends on need CHAT_UQ_EXTERNAL_QUEUES Med As required CHAT_WS_API_IP_HOSTS High Limit to legal hosts CHAT_WS_API_KEY High Set CLIENT_SESSION_EXP High 15-30 CP_COOKIES_ENABLED Low CP_CONTACT_LOGIN_REQUIRED Med Depends on need CP_LOGIN_COOKIE_EXP High CP_LOGIN_COOKIE_REQ Med Deprecated. CP_LOGIN_MAX_TIME Med CP_MAX_INVALID_LOGINS Med CP_MAX_LOGINS Low CP_MAX_LOGINS_PER_CONTACT Low EU_CUST_PASSWD_ENABLED High Enabled EGW_PASSWD_CREATE Med Enabled EGW_SECURE_UPDATE_ENABLED Med Enabled ERR_INT_ERROR_DETAILS_ENABLED High Disabled FACEBOOK_INCIDENTS_ENABLED Med Disabled FACEBOOK_OAUTH_APP_ID Low Depends on need FACEBOOK_OAUTH _APP_SECRET Low Depends on need FATTACH_OPEN_ENABLED Med Disabled FATTACH_MAX_SIZE Low As small as possible II_CONNECT Low Enable only if needed II_EMAIL_ERROR_ADDR Low INC_PRIVATE_TRANSCRIPT_ONLY Med Enabled LOGIN_SECURITY_MSG Low Depends on need MYSEC_AUTO_CUST_CREATE Low Depends on need MYSEC_EXT_LOGOUT_URL Low Depends on need MYSEC_LI_ERR_ENABLED Med Enabled for PTA MYSEC_LI_PASSWD Med 12 character minimum, not blank MYSEC_LOGIN_COOKIE_EXP High Less than 1440 minutes MYSEC_MIN_PASSWD_LEN High 8-12 characters PTA_ENABLED Low Depends on need PTA_ENCRYPTION_KEYGEN Low Depends on need PTA_ENCRYPTION_METHOD Low Depends on need PTA_ENCRYPTION_PADDING Low Depends on need PTA_IGNORE_CONTACT_PASSWORD Med Can introduce vulnerabilities PTA_SECRET High Must be set and protected RNMD_PORT Low SEC_CONFIG_PASSWD High 12 character minimum SEC_END_USER_HTTPS Med Enabled SEC_EU_EMAIL_LINK_EXPIRE Med Enabled SEC_P3P_COMPACT_HDR Low

31

SEC_VALID_ADMIN_HOSTS High Enabled and set SEC_VALID_CHAT_API_HOSTS High Limit to legal hosts SEC_VALID_ENDUSER_HOSTS Low Depends on need SEC_INVALID_ENDUSER_HOSTS Low Depends on need SEC_VALID_INTEG_HOSTS Low Depends on need SEC_SPIDER_USER_AGENT Low Depends on need SEC_INVALID_USER_AGENT Low Depends on need SRV_CHAT_INTERNAL_NET High Limit to legal servers SUBMIT_TOKEN_EXP Med 30 minutes TWITTER_OAUTH_APP_ID Low Depends on need TWITTER_OAUTH_APP_SECRET Low Depends on need WIDGET_INSTALLATION_HOSTS1 Med Site list

32

Appendix B: Recommended Settings by Criticality

Configuration Verb Criticality Recommended Setting

CHAT_WS_API_IP_HOSTS High Limit to legal hosts CHAT_WS_API_KEY High Set CLIENT_SESSION_EXP High 15-30 CP_COOKIES_EXP High ERR_INT_ERROR_DETAILS_ENABLED High Disabled II_CONNECT High Enable only if necessary MYSEC_LOGIN_COOKIE_EXP High Less than 1440 minutes MYSEC_MIN_PASSWD_LEN High 8-12 characters PTA_SECRET High Must be set and protected SEC_CONFIG_PASSWD High 12 character minimum SEC_VALID_ADMIN_HOSTS High Enabled and set SEC_VALID_CHAT_API_HOSTS High Limit to legal hosts SRV_CHAT_INTERNAL_NET High Limit to legal servers Campaigns Med Depends on need CHAT_UQ_EXTERNAL_QUEUES Med As required CP_CONTACT_LOGIN_REQUIRED Med Depends on need CP_LOGIN_COOKIE_REQ Med Deprecated CP_LOGIN_MAX_TIME Med As needed CP_MAX_INVALID_LOGINS Med EGW_PASSWD_CREATE Med Enabled EGW_SECURE_UPDATE_ENABLED Med Enabled FACEBOOK_ENABLED Med As required FACEBOOK_INCIDENTS_ENABLED Med Disabled FATTACH_OPEN_ENABLED Med Disabled INC_PRIVATE_TRANSCRIPT_ONLY Med Enabled MYSEC_LI_ERR_ENABLED Med Enabled for PTA MYSEC_LI_PASSWD Med 12 character minimum, not blank PTA_IGNORE_CONTACT_PASSWORD Med Can introduce vulnerabilities SEC_END_USER_HTTPS Med Enabled SEC_EU_EMAIL_LINK_EXPIRE Med Enabled SUBMIT_TOKEN_EXP Med 30 minutes WIDGET_INSTALLATION_HOSTS1 Med Site list CP_COOKIES_ENABLED Low Depends on need CP_MAX_LOGINS Low CP_MAX_LOGINS_PER_CONTACT Low FACEBOOK_OAUTH_APP_ID Low Depends on need FACEBOOK_OAUTH _APP_SECRET Low Depends on need FATTACH_MAX_SIZE Low As small as possible II_EMAIL_ERROR_ADDR Low LOGIN_SECURITY_MSG Low Depends on need MYSEC_AUTO_CUST_CREATE Low Depends on need

33

MYSEC_EXT_LOGOUT_URL Low Depends on need PTA_ENABLED Low Depends on need PTA_ENCRYPTION_KEYGEN Low Depends on need PTA_ENCRYPTION_METHOD Low Depends on need PTA_ENCRYPTION_PADDING Low Depends on need RNMD_PORT Low SEC_P3P_COMPACT_HDR Low SEC_INVALID_ENDUSER_HOSTS Low Depends on need SEC_INVALID_USER_AGENT Low Depends on need SEC_SPIDER_USER_AGENT Low Depends on need SEC_VALID_ENDUSER_HOSTS Low Depends on needs SEC_VALID_INTEG_HOSTS Low Depends on need TWITTER_OAUTH_APP_ID Low Depends on need TWITTER_OAUTH _APP_SECRET Low Depends on need

34

Appendix C: Recommended Settings By Type The following is a list of the minimal set of security related items that should be considered when configuring the product. Not all must be modified from the default, but the effect should be considered in the context of the security needs of your site.

□ Authentication ○ CP_CONTACT_LOGIN_REQUIRED ○ CP_MAX_INVALID_LOGINS ○ CP_MAX_LOGINS ○ CP_MAX_LOGINS_PER_USER ○ EGW_PASSWD_CREATE ○ EU_CUST_PASSWD_ENABLED ○ FACEBOOK_OAUTH_APP_ID ○ FACEBOOK_OAUTH_APP_SECRET ○ LOGIN_SECURITY_MSG ○ MYSEC_MIN_PASSWD_LEN ○ MYSEC_LI_ERR_ENABLED ○ MYSEC_LI_PASSWD ○ SEC_CONFIG_PASSWD ○ SEC_EU_EMAIL_LINK_EXPIRE ○ TWITTER_OAUTH_APP_ID ○ TWITTER_OAUTH_APP_SECRET ○ WIDGET_INSTALLATION_HOSTS

□ Administrative site protection ○ CLIENT_SESSION_EXP ○ FATTACH_MAX_SIZE ○ FATTACH_OPEN_ENABLED ○ SEC_INVALID_ENDUSER_HOSTS ○ SEC_INVALID_USER_AGENT ○ SEC_SPIDER_USER_AGENT ○ SEC_VALID_ENDUSER_HOSTS

□ Session Management ○ CP_COOKIES_ENABLED ○ CP_LOGIN_COOKIE_EXP ○ CP_LOGIN_COOKIE_REQ (Deprecated) ○ CP_LOGIN_MAX_TIME ○ MYSEC_EXT_LOGOUT_URL ○ MYSEC_LOGIN_COOKIE_EXP ○ SEC_VALID_ADMIN_HOSTS

□ Chat o CHAT_UQ_EXTERNAL_QUEUES o CHAT_WS_API_IP_HOSTS o CHAT_WS_API_KEY o CP_CONTACT_LOGIN_REQUIRED o INC_PRIVATE_TRANSCRIPT_ONLY o SEC_VALID_CHAT_API_HOSTS o SRV_CHAT_INTERNAL_NET

35

□ Pass-Through Authentication o PTA_ENABLED o PTA_ENCRYPTION_KEYGEN o PTA_ENCRYPTION_METHOD o PTA_ENCRYPTION_PADDING o PTA_IGNORE_CONTACT_PASSWORD o PTA_SECRET

□ Facebook o FACEBOOK_ENABLED o FACEBOOK_INCIDENTS_ENABLED

□ Other ○ EGW_SECURE_UPDATE_ENABLED ○ FACEBOOK_INCIDENTS_ENABLED ○ SEC_VALID_ENDUSER_HOSTS ○ SEC_VALID_INTEG_HOSTS ○ OT_PASSWD_DISP ○ SEC_END_USER_HTTPS ○ ERR_INT_ERROR_DETAILS_ENABLED ○ Campaigns

36

Appendix D: Security Level Settings Each site has unique considerations, but the following represent configuration settings that should be considered to achieve the level of security (High, Moderate, Low) indicated. A blank entry indicates that the setting can be ignored for the given level. Note that these are suggestions, but only an analyst with comprehensive knowledge of a site and its use can make an accurate determination of security needs.

Configuration Verb High Moderate Low

Campaigns CLIENT_SESSION_EXP 15 30 0

CP_COOKIES_ENABLED Set Set Set CP_CONTACT_LOGIN_REQUIRED Set Set Unset CP_LOGIN_COOKIE_EXP -1 < 480 <1440 CP_LOGIN_COOKIE_REQ (4) (4) (4) CP_LOGIN_MAX_TIME (1) (1) (1) CP_MAX_INVALID_LOGINS 3 10 0 CP_MAX_LOGINS (3) (3) (3) CP_MAX_LOGINS_PER_CONTACT 1-3 Unset Unset EU_CUST_PASSWD_ENABLED Enable Enable EGW_PASSWD_CREATE Enable Enable EGW_SECURE_UPDATE_ENABLED Enable Enable ERR_INT_ERROR_DETAILS_ENABLED Disable Disable FACEBOOK_ENABLED (1) (1) (1) FACEBOOK_INCIDENTS_ENABLED Disabled (1) (1) FACEBOOK_OAUTH_APP_ID Low (1) (1) FACEBOOK_OAUTH _APP_SECRET Low (1) (1) FATTACH_MAX_SIZE (3) (3) (3) FATTACH_OPEN_ENABLED Disable Disable II_CONNECT (1) (1) (1) II_EMAIL_ERROR_ADDR (1) (1) (1) INC_PRIVATE_TRANSCRIPT_ONLY Set Set Unset LOGIN_SECURITY_MSG (1) (1) (1) MYSEC_EXT_LOGOUT_URL (1) (1) (1) MYSEC_AUTO_CUST_CREATE Disable Disable MYSEC_LI_ERR_ENABLED Enable Enable MYSEC_LI_PASSWD Set Set Set MYSEC_LOGIN_COOKIE_EXP -1 < 480 < 1440 MYSEC_MIN_PASSWD_LEN 10 characters 8 characters 6 characters RNMD_PORT SEC_CONFIG_PASSWD Set Set Set SEC_EU_EMAIL_LINK_EXPIRE 1 12 24 SEC_END_USER_HTTPS Enable SEC_P3P_COMPACT_HDR Configure SEC_VALID_ADMIN_HOSTS (2) (2) Blank SEC_VALID_ENDUSER_HOSTS (2) Blank

37

SEC_INVALID_ENDUSER_HOSTS (2) Blank Blank SEC_VALID_INTEG_HOSTS (2) Blank Blank SEC_SPIDER_USER_AGENT (2) Blank Blank SEC_INVALID_USER_AGENT (2) Blank Blank SUBMIT_TOKEN_EXP 30-60 sec 30-300 sec 30-1000 sec TWITTER_OAUTH_APP_ID Low (1) (1) TWITTER_OAUTH _APP_SECRET Low (1) (1) WIDGET_INSTALLATION_HOSTS (1) (1) Blank

Notes:

(1) Set if necessary for site needs. (2) Set if practical (3) This setting has operating implications and should be set accordingly. (4) Deprecated

38

Appendix E: Recently Added The following configuration settings have been added to the product recently and are listed here the goal of making it easier to update the product in a secure manner. However, these settings may have interactions with older settings, so be advised that a thorough knowledge of the use of the configuration setting is required.

Feb’2011 Additions CP_MAX_LOGINS CP_MAX_LOGINS_PER_ACCOUNT FACEBOOK_OAUTH_APP_ID FACEBOOK_OAUTH_APP_SECRET LOGIN_SECURITY_MSG

TWITTER_OAUTH_APP_ID TWITTER_OAUTH_APP_SECRET

May’2011 Additions CP_MAX_INVALID_LOGINS TWITTER_SECURE_SEARCH (Hidden)

RightNow CX May Secure Implementation Guide...without notice by RightNow, in its absolute...

Documents

Transcript of RightNow CX May Secure Implementation Guide...without notice by RightNow, in its absolute...